Showing results for 
Search instead for 
Did you mean: 

SNMP monitoring of LAN devices over WAN

Hi All.

I've came up with a problem configuring SNMP monitoring of remote site. I need to monitor 5 switches on their LAN using SNMP. There is a firewall doing NATing. I've checked the forum and some people say SNMP cannot be done over NAT, some say if you do Static NAT it should work, that's a bit confusing. Could anybody explain is it possible to do that please?

If I use these methods of nat translation, for example:

1. lan ip) port 161 to wan ip) port 10161 lan ip) port 161 to wan ip) port 10162

2. lan ip) port 161 to wan ip) port 161 lan ip) port 161 to wan ip) port 161

3. Use something else? OID or MIB ?

Highly appretiate your help guys as I need it up and running like yesterday.




you probably need acl on outside interface to permit udp and also on the hq end you need the necessary acl, you may want to give a more detail topology and your both end configuration to sort this out




Thanks for your reply.

Our side is properly configured so there is no issue there, as we can monitor other devices once you put their WAN IP addresses.

Remote side is really straight forward. One core C3750 switch and other 4 switches C2960 and C3750 connected to it. All of them configured with snmp-community and ACL list permitting our WAN ip address (monitoring side). The default gateway is CheckPoint firewall doing NATing. We added a NAT rule like no.2 above, and I think it should automatically add ACL rule to allow SNMP traffic.

Do you think Static NAT is fine and it should work, so SNMP traffic can be translated using static NAT rule? But the problem with ACL?




Does anybody have a solution for this?

Is it possible to use PAT in some way?

There is one public ip address and 5 local devices configured with SNMP community and need to be monitored remotely.

Would PAT translation should work to monitor them remotely using SNMP?

I've tried this:

ip nat inside source static udp 161 161 ext

to all 5 devices and it works, but can't use 161 for all of them at the same time.
I tried this one:

ip nat inside source static udp 161 30161
ip nat inside source static udp 161 30162

and it doesn't work.
So what other methods can be used or there is no one.



Try adding the 'extendable' keyword to the end of each of your nat statements.



Router automatically adds that, anyway it does make a difference how you enter, still says Not connected.



Hi FireStomenet

I had a similar issue with multiple CPE devices at a client site.  I did attempt to perform the PAT on the edge, however, the SNMP server downstream would just view the same socket of srcip:162 and could never differentiate between the different hosts.  Could you stand up some for of routing tunnel (i.e. IPsec, GRE) so you can natively communicate to the source IP addresses of the seperate subnet.  Even if there was a subnet conflict for any reason you could alway implement intermediate NATs. 

I punted this problem around for awhile and eventually realize the tunnel was just the easiest route.

Hope this helps.